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METHOD OF DETECTING MANIPULATION OF A PROGRAMABLE 
MEMORY DEVICE OF A DIGITAL CONTROLLER 



Field Of The Invention 

The present invention relates to a method of detecting manipulation of a programable 
memory device of a digital controller for a motor vehicle, where data and control programs 
for operation of the controller and for control/regulation of certain functions of the motor 
vehicle can be stored in the memory device. The present invention also relates to an extemal 
programing unit for programing and/or reprograming a flash memory of a digital controller 
for a motor vehicle, where data and control programs for operation of the controller and for 
control/regulation of certain functions of the motor vehicle can be stored in the flash memory. 
Finally, the present invention also relates to a digital controller for a motor vehicle having a 
programable memory device for storing data and control programs for operation of the 
controller and for control/regulation of certain functions of the motor vehicle. 

Background Information 

A method of detecting the manipulation of a programable memory device of the type defined 
above is known, for example, from German Published Patent Application No. 196 15 105. A 
controller described there contains a microcomputer, a first programable memory device and 
a second programable memory device. The first memory device is designed as an erasable 
non-volatile flash EPROM. The second memory device is designed as an EEPROM. Data and 
control programs for operation of the controller and for control/regulation of certain functions 
of the motor vehicle are stored in the first programable memory device. For execution of the 
control/regulatory functions assigned to the microcomputer and for self-control, the 
microcomputer processes the control programs which are stored in the first memory device 
together with data that might be needed to execute the programs. 

For programing/reprograming the controller, an extemal programing unit is provided and is 
connected by a serial interface to the controller. The programing unit causes the controller to 
erase the data and/or control programs stored in the first memory device and then causes a 
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new control program and/or new data to be stored in the first programable memory device. 

In conjunction with programing/reprograming the first memory device, i.e., before, during 
and/or after erasing and/or overwriting the first memory device, the programing/reprograming 
operation is documented by storing the corresponding information in the second programable 
memory device. Storing the information during the programing/reprograming operation is 
preferable because, due to time interleaving of the programing/reprograming of the first 
memory device and the storage of information in the second memory device, the possibility 
of reprograming the first memory device without storing information regarding the 
programing/reprograming operation in the second memory is extremely low. 

Various conclusions can be dravm on the basis of the information stored in the second 
memory device. First, disturbances in programing/reprograming the controller due to a 
defective external programing unit can be detected rapidly and correctly. Second, 
unauthorized manipulation of the control program in the first memory device can be detected 
and sometimes even traced back to the unauthorized manipulator on the basis of the stored 
information. Detection of an unauthorized manipulation of the controller is important because 
defects in the controller or in the units of the motor vehicle controlled or regulated by the 
controller can occur due to a faulty control progreim or a control program not aimed at error- 
free operation of the internal combustion engine of the motor vehicle. Unauthorized 
manipulation of the control program usually makes any warranty or liability claims null and 
void. 

A disadvantage of the method known from the related art is that it cannot readily be used with 
a traditional controller which has only the first progrgmiable memory device. The controller is 
first expanded by the second programable memory device. In addition, the microcomputer of 
the controller not only has access to the first memory device but also has access to the second 
programable memory device. The information regarding the programing/reprograming 
operation to be stored in the second memory device is also very complex, so the time for 
programing/reprograming the memory device of the controller is greatly increased. 
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Furthermore, the second memory device is erased before storing the information. This means 
that the second memory device can also be erased by any unauthorized person having access 
to appropriate knowledge and hardware and can be overwritten with new information. Thus, 
with the method known from the related art, unauthorized manipulation of the control 
program of the controller cannot be detected reliably. 

Summary Of The Invention 

An object of the present invention is thus to design and improve upon a method such that 
unauthorized manipulation of the control program in the controller can be detected reliably 
and easily. 

Therefore, the present invention proposes that in conjunction with each programing/ 
reprograming operation of the programable memory device, information regarding the 
programing/reprograming operation can be stored in a separate memory area of the memory 
device where only reading and programming are possible, and in order to detect 
manipulation, the content of the separate memory area is read out and compared with given 
information. 

The method according to the present invention has the advantage that the information 
regarding the programing/reprograming operation is not stored in a second programable 
memory device as in the related art but instead is stored within the programable memory 
device where the control program is also stored. The information is stored within the memory 
device in a memory area where only reading and programing are possible, i.e., this memory 
area carmot be erased. This memory area lacks the hardware requirements (e.g., a line for 
erasing) for erasing it. It is thus impossible to erase this memory area of the programable 
memory device under any circumstances. 

The information regarding the programing/reprograming operation stored in the memory area 
can be documented. If the motor vehicle then enters a workshop and warranty claims are 
made or if the memory device of the controller is to be reprogrammed, the content of the 
separate memory area can be read out and compared with the documented content of the 
memory area. If the information stored in the separate memory area matches the documented 
information, then there has not been unauthorized manipulation of the controller. If the 
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information read out of the memory area does not match the documented information, then 
there has been unauthorized manipulation of the controller. In such a case, warranty claims or 
liability claims, for example, can be refused. 

According to a preferred refinement of the present invention, information regarding the 
cumulative number of programing/reprograming operations is stored in the memory area of 
the programable memory device. Thus, with each programing/reprograming operation, the 
number stored in the separate memory area is incremented. The number of programing/ 
reprograming operations is documented. The number stored in the separate memory area can 
be read out on demand and compared with the documented number. If the two numbers do 
not match, there has been an undocumented and therefore unauthorized programing/ 
reprograming operation. According to this refinement, the information stored in the separate 
memory area is reduced to the minimum amount of data needed to detect unauthorized 
manipulation of the controller. 

According to a preferred embodiment of the present invention, the information regarding the 
programing/reprograming operation is stored in the separate memory area with each erase 
operation of the programable memory device. According to this embodiment, it is assumed 
that the programable memory device is erased before programing/reprograming the control 
program. The programable memory device is also erased before programing/reprograming the 
control program if the control program is secured with a seed-and-key method, as is known in 
the related art for preventing unauthorized manipulation, in addition to the method according 
to the present invention. The seed-and-key method is described in detail in German Published 
Patent Application No. 197 23 332, to which reference is herewith made explicitly. 

In the seed-and-key method, a reference word is formed and stored by a programmer in 
conjunction with programing/reprograming the controller as a function of the content of the 
programable memory area and a key. Before executing the control program, a code word is 
formed and compared with the reference word inside the controller on the basis of the 
programable memory area content and the key. If the code word matches the reference word, 
the control program is executed; otherwise, it is blocked, because the reference word is 
assumed to be incorrect because the programmer did not know the key and therefore this is a 
case of unauthorized programing/reprograming. If the content of the programable memory 
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device is not erased before each programing/reprograming, checksum errors may occur in 
forming the reference word or the code word. 

According to another preferred embodiment of the present invention, the information is stored 
by setting bits in the separate memory area. Thus, for example, it is conceivable for an 
additional bit to be set in the memory area in conjunction with each programing/reprograming 
operation to thereby store the cumulative number of programing/reprograming operations. 
This embodiment is a type of method of storing information regarding the programing/ 
reprograming operation in the separate memory area that saves on storage space and reduces 
storage time in particular. 

According to another advantageous refinement of the present invention, the information is 
stored in a one-time-programable (OTP) region of a programable memory device designed in 
the form of a flash memory. The OTP region involves one or more cells of the flash memory 
having no line for erasing the content of the flash cells. The flash cells of the OTP region 
have only lines for programing or reading the content of the flash cells. The flash memory is 
designed as a flash EPROM, for example. 

A flash memory is preferably programmed or reprogrammed with the help of an external 
programing imit, in particular with the help of a state machine. In a state machine, the 
sequences of operations for programing/reprograming the programable memory device of a 
controller are encoded in the hardware. The sequences of operations for storing the 
information in the memory area are also encoded in the hardware in the state machine. In this 
way, manipulation of the storage operation of information in the separate memory area can be 
prevented effectively, and manipulation of the memory device can be reliably detected. 

As an alternative, the information from an element of the controller for storing information 
regarding the progr£tming/reprograming operation is stored in the separate memory area. 
According to this altemative embodiment, the information is thus stored in the memory area 
in conjunction with the programing/reprograming operation by a suitable element of the 
controller. The programing/reprograming of the memory area can take place through an 
external programing unit, for example, as in the past. The element of the controller has a 
sequence of operations encoded in the hardware of the controller for example, necessarily 
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causing the information to be stored in the separate memory area with each programing/ 
reprograming operation of the memory device. 

To carry out the method according to the present invention, starting from the external 
programing unit, the programing unit has an element for carrying out the method according to 
the present invention. Such an external programing unit is also knovvn as a state machine. A 
state machine is characterized in that the sequences of operations for programing/ 
reprograming the control program in the memory device and for storing the information in the 
separate memory area are encoded in the hardware, and the functionality is written in very 
high description language (VHDL). VHDL is a hardware description language which writes 
digital circuits on different levels (behavior, register transfer logic (RTL)). The external 
programing unit may be cormected to the controller over a serial interface, for example, or by 
a K line and a diagnostic plug. 

Finally, starting from a digital controller, to carry out the method according to the present 
invention, the controller has an element for carrying out the method according to the present 
invention. The information regarding the programing/reprograming operation is thus not 
stored in the separate memory area by extemal devices but instead this information is stored 
by an internal element which is part of the controller. 

Brief Description Of The Drawings 

Figure 1 shows a digital controller for a motor vehicle for carrying out the method according 
to the present invention as in a preferred embodiment. 

Figure 2 a digital controller for a motor vehicle having an extemal programing unit for 
carrying out the method according to the present invention as in a second preferred 
embodiment. 

Detailed Description 

The explanations given below relate to a method of detecting manipulation of a programable 
memory device of a digital controller for a motor vehicle, in particular for controlling the 
internal combustion engine, the transmission or the brakes of the motor vehicle. Figures 1 and 
2 show a digital controller 1 in its entirety. It has a programable memory device 2, where data 

NYOl 328662 v 1 ^ 



and control programs for operation of controller 1 and for controlling/regulating certain 
functions of the motor vehicle can be stored. Controller 1 also has a microcomputer 3 which 
processes the control programs stored in memory device 2 for execution of the control/ 
regulatory function allocated to it and for self-control. The control program and the data 
needed for execution of the control program are transmitted over a data line 4 from memory 
device 2 to microcomputer 3. 

Memory device 2 of controller 1 is programmed/reprogrammed by way of an extemal 
programing unit 5 connected to controller 1 over a serial interface, for example. Extemal 
programing unit 5 is designed as a state machine, characterized in that the sequences of 
operations for programing/reprograming controller 1 are encoded in the hardware. In the 
embodiment in Figure 1 , extemal programing unit 5 is cormected to controller 1 by a K line 6 
and a diagnostic plug 7. For programing/reprograming of controller 1, the new data and/or the 
new control program is transmitted to programable memory device 2 over K line 6, 
microcomputer 3 and data line 4. 

Programable memory device 2 is designed as a flash EPROM. A flash EPROM has a separate 
memory area 8, the one-time-programable (OTP) region. This separate memory area 8 of 
programable memory device 2 has a plurality of flash cells having no line for erasing the 
memory content of the flash cells. The flash cells of separate memory area 8 only have lines 
for programing and for reading the content of the flash cells. 

According to the present invention, information regarding the programing/reprograming 
operation is stored in separate memory area 8 of memory device 2 in conjunction with each 
programing/reprograming operation of programable memory unit 2. Controller 1 therefore 
has an element 9 to receive from microcomputer 3 over a line 10 information regarding when 
memory device 2 is erased or programmed. Element 9 then stores information regarding the 
programing/reprograming operation in separate memory area 8 following each erase 
operation and each programing operation of programable memory device 2 over a line 1 1 . 

Information stored in memory area 8 preferably includes the cumulative number of 
programing/reprograming operations of memory device 2. For storing the cumulative number 
of programing/reprograming operations, a bit is set in separate memory area 8 for each 
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programing/reprograming operation executed. 

The information regarding the programing/reprograming operation stored in memory area 8 is 
documented. When the motor vehicle is taken to a workshop and warranty claims are made or 
5 if memory device 2 of controller 1 is to be reprogrammed, the content of separate memory 
area 8 can be read out and compared with the documented information in memory area 8. If 
the information stored in separate memory area 8 matches the documented information, there 
has not been any unauthorized manipulation of controller 1 . If the information read out of 
memory area 8 does not match the documented information, then there has been an 
1 0 unauthorized manipulation of controller 1 . In such a case, warranty or liability claims can be 
refused. 

CI 
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Cl Data stored in memory device 2 is protected against unauthorized manipulation of the control 

t program by a seed-and-key method which is described in detail in German Published Patent 

m Application No. 197 23 332. 

P: 

Figure 2 illustrates an alternative embodiment for implementation of the method according to 
the present invention. In contrast with the embodiment according to Figure 1 , external 

Til 

'"4 programing unit 5 in this embodiment is connected to controller 1 via a serial interface 12 and 

sb a data line 13. Programing unit 5 has an element 14 by which information regarding the 
programing/reprograming operation in conjunction with each programing/reprograming 
operation of programable memory device 2 is stored in separate memory area 8. Element 14 
is designed as an electric circuit, for example, causing microcomputer 3 of controller 1 to set 
certain bits in memory area 8 over line 1 1 before, during or after the programing/ 
25 reprograming operation. 
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